Brexit Manoeuvres: Brexit and Data Protection
With a “no-deal” scenario looking increasingly more likely, what steps should businesses be taking in relation to their data protection compliance regimes to prepare for 31 October this year?
The data protection framework in the UK post-Brexit
The EU General Data Protection Regulation (the “GDPR”) is the principal piece of data protection legislation across the EU. On exit day, the provisions of the GDPR will be incorporated into UK law by the European Union (Withdrawal) Act 2018 (the “Withdrawal Act”) and the GDPR will therefore remain the core law on data protection in the UK (subject to amendments to make the mechanics of the legislation work in light of the UK’s new status). Therefore, there will be no immediate change in respect of the data protection framework in the UK. In essence, post-Brexit there will be two versions of the GDPR – the existing EU version and a new UK version.Cross-border transfers of personal data
The GDPR permits a free flow of personal data between EEA member states. Transfers out of the EEA are, however, only permitted in specified circumstances.EEA to UK
When the UK ceases to be an EU member state it will become a "third country" for the purposes of the GDPR and this free flow of personal data will therefore no longer be permitted unless one of the specified circumstances applies:
- the European Commission has determined that the country to which the personal data is being transferred “ensures an adequate level of protection” (an “adequacy decision”);
- prescribed “appropriate safeguards” have been put in place such as standard contractual clauses or binding corporate rules; or a
- derogation applies such as the individual to whom the personal data relates having given their explicit consent to the transfer (having been informed of the possible risks).
The UK government has made it clear that it is aiming for an “adequacy decision” to be made by the European Commission permitting transfers to the UK and that it is ready to begin adequacy assessments. However, the EU’s position is that it cannot start such assessments until the UK is actually a third country. Moreover, adequacy assessments and discussions can take many months even once started. Businesses therefore need to ensure that they have alternative arrangements in place as it is unlikely that the UK will be the subject of an adequacy decision for some time after exit.
UK to EEA
The UK government has confirmed that transfers from the UK to the EEA will not be restricted and can continue as usual.
UK to non-EEA
Transfers from the UK to non-EEA countries are likely to be subject to similar rules as those in place at present. The UK will recognise existing EU adequacy decisions and standard contractual clauses so it is unlikely that additional steps need to be taken at present, although businesses should keep this under review.UK to U.S. (under Privacy Shield)
In respect of transfers to U.S. organisations under the EU-U.S. Privacy Shield framework, modified arrangements will apply as this is a specific EU/U.S. arrangement. The government has confirmed it is making arrangements for the continued application of Privacy Shield to restricted transfers from the UK to the U.S. However, U.S. organisations participating in the Privacy Shield will need to update their public commitment to comply with the Privacy Shield to expressly state that those commitments apply to transfers of personal data from the UK.